Skip to content

Add new rule disable_weak_deps#14173

Merged
Mab879 merged 2 commits intoComplianceAsCode:masterfrom
jan-cerny:weak_deps
Nov 25, 2025
Merged

Add new rule disable_weak_deps#14173
Mab879 merged 2 commits intoComplianceAsCode:masterfrom
jan-cerny:weak_deps

Conversation

@jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Nov 24, 2025

This rule checks if weak package dependencies are allowed to be installed by DNF. This rule is added to RHEL 10 CIS profiles because it implements the requirement 1.2.1.5 of RHEL 10 CIS Benchmark v1.0.1.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6425

@jan-cerny jan-cerny added this to the 0.1.80 milestone Nov 24, 2025
@jan-cerny jan-cerny added New Rule Issues or pull requests related to new Rules. CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. labels Nov 24, 2025
@Mab879 Mab879 self-assigned this Nov 24, 2025
Mab879
Mab879 requested changes Nov 24, 2025
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the following test:

$ cat linux_os/guide/system/software/updating/disable_weak_deps/tests/wrong_section.fail.sh
#!/bin/bash
cat <<EOF >/etc/dnf/dnf.conf
[notmain]
install_weak_deps = 0
EOF

And got

ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_disable_weak_deps'.

@Mab879
Copy link
Member

Mab879 commented Nov 24, 2025

Also, please fix the CI issues.

@jan-cerny
Add new rule disable_weak_deps
cca87d5 
This rule checks if weak package dependencies are allowed to
be installed by DNF. This rule is added to RHEL 10 CIS profiles
because it implements the requirement 1.2.1.5 of RHEL 10 CIS
Benchmark v1.0.1.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6425
@jan-cerny
Copy link
Collaborator Author

jan-cerny commented Nov 25, 2025

I have added new test scenario, improved the bash remediation and fixed CI issues

@openshift-ci
Copy link

openshift-ci bot commented Nov 25, 2025

@jan-cerny: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.14-images a1d351c link true /test 4.14-images
ci/prow/e2e-aws-openshift-node-compliance a1d351c link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Mab879 Mab879 merged commit f3fb601 into ComplianceAsCode:master Nov 25, 2025
138 of 140 checks passed
@sync-cac-oscal-bot sync-cac-oscal-bot bot mentioned this pull request Nov 25, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

Assignees

@Mab879 Mab879

Labels

CIS CIS Benchmark related. New Rule Issues or pull requests related to new Rules. RHEL10 Red Hat Enterprise Linux 10 product related.

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879